<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">For the replies. Matlab was an example. I would also like to create to containers for OpenFoam with different versions. Then a user can choose what he actually wants.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I would also like to know, if the technologies you mentioned can be deployed in multinode clusters. Currently, we use Rocks 7. Should I install singularity (or others) on all nodes or just the frontend?</div><div class="gmail_default" style="font-family:tahoma,sans-serif">And then, can users use "srun" or "salloc" for interactively login to a node and run the container or not?</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font face="tahoma,sans-serif">Regards,<br>Mahmood</font><br><br><br></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 19, 2019 at 8:03 PM Michael Jennings <<a href="mailto:mej@lanl.gov">mej@lanl.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Docker is the wrong choice for HPC, at least today. But Podman, from<br>
Red Hat's CRI-O project, is a drop-in replacement for Docker which<br>
doesn't use the client-server model of Docker and therefore addresses<br>
many of the challenges with trying to run Docker for HPC user jobs.<br>
<br>
There's also LANL's Charliecloud, which is a highly optimized<br>
container runtime that (unlike the other options in this space, save<br>
Podman) DOES NOT require any root privileges whatsoever, not even at<br>
install time. For (hopefully obvious) security reasons, you are far<br>
safer using one of the unprivileged options.<br>
<br>
Here at Los Alamos, we use both Charliecloud and Podman/Buildah along<br>
with the Spokeo and umoci tools. While we do not permit Singularity<br>
on our systems for security reasons and don't run Shifter because it<br>
requires privilege, we have had Charliecloud deployed and actively<br>
used on both our Classified and Open Science systems for well over a<br>
year now, and we are in the process of getting Podman/Buildah and<br>
friends into the Secure systems as we speak.<br>
<br>
(Note that all of the above require RHEL7 or higher; if you need RHEL6<br>
support, you'll want to check out Shifter.)<br>
<br>
Here are some videos of talks that might help you get up-to-speed on<br>
this subject:<br>
<br>
"LISA18 - Containers and Security on Planet X"<br>
(<a href="https://youtu.be/F3qCvZMzUtE" rel="noreferrer" target="_blank">https://youtu.be/F3qCvZMzUtE</a>) - Why containers matter for HPC, what<br>
makes HPC so different from the typical Docker/AppC use cases, and how<br>
to choose the right solution for your site.<br>
<br>
"Charliecloud - Unprivileged Containers for HPC"<br>
(<a href="https://youtu.be/ESsZgcaP-ZQ" rel="noreferrer" target="_blank">https://youtu.be/ESsZgcaP-ZQ</a>) - What containers actually are under<br>
the hood, how they work, what they are good for, and how to get up and<br>
running with Charliecloud in under 5 minutes.<br>
<br>
"Container Mythbusters" (<a href="https://youtu.be/FFyXdgWXD3A" rel="noreferrer" target="_blank">https://youtu.be/FFyXdgWXD3A</a>) - Dispelling<br>
common misconceptions and debunking propaganda around containers,<br>
container runtime security, and when/how you should (and should NOT)<br>
use containers.<br>
<br>
Hope those help!<br>
Michael<br>
<br>
-- <br>
Michael E. Jennings <<a href="mailto:mej@lanl.gov" target="_blank">mej@lanl.gov</a>><br>
HPC Systems Team, Los Alamos National Laboratory<br>
Bldg. 03-2327, Rm. 2341 W: +1 (505) 606-0605<br>
<br>
</blockquote></div></div>